write EWF back to disk

[Ben Fino-Radin]

Hi all,

Does anyone have any suggestions on an easy way to write an EWF file back out to disk?

When using ewfexport to raw, I'm trying to specify the device file of a disk as the destination, but it doesn't like it.

 

mac9650bfino-radin:~ bfino$ sudo ewfexport /Users/bfino/Downloads/Test.e01.E01  

ewfexport 20140608


 

Information for export required, please provide the necessary input

Export to format (raw, files, ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, encase7, encase7-v2, linen5, linen6, linen7, ewfx) [raw]:  

Target path and filename without extension or - for stdout: /dev/disk1

Evidence segment file size in bytes (0 is unlimited) (0 B <= value <= 7.9 EiB) [0 B]:  

Start export at offset (0 <= value <= 31914983424) [0]:  

Number of bytes to export (0 <= value <= 31914983424) [31914983424]:  


 

Export started at: Aug 29, 2016 14:59:09

This could take a while.


 

Export failed at: Aug 29, 2016 14:59:09

Unable to export input.

libcfile_file_open_with_error_code: unable to open file: /dev/disk1.raw with error: Operation not supported

libcfile_file_open: unable to open file.

libbfio_file_open: unable to open file: /dev/disk1.raw.

libcfile_file_seek_offset: invalid file - missing descriptor.

libbfio_file_seek_offset: unable to find offset in file: /dev/disk1.raw.

libbfio_handle_seek_offset: unable to find offset: -1 in handle.

libbfio_pool_open_handle: unable to seek offset.

libbfio_pool_open: unable to open entry: 0.

libsmraw_io_handle_create_segment: unable to open file IO pool entry: 0.

libfdata_stream_write_buffer: unable to create segment: 0.

libsmraw_handle_write_buffer: unable to write buffer to segments stream.

export_handle_write_buffer: unable to write storage media buffer.

export_handle_export_input: unable to write data to file.

Unable to close export handle.

libsmraw_information_file_open: unable to open: /dev/disk1.raw.info.

libsmraw_handle_close: unable to open information file.

export_handle_close: unable to close raw output handle.

Thinking that perhaps it is still just trying to write an image file, I instead tried using stdout and piping this to dd, which then writes to /dev/desk1, but it fails silently almost instantly.

I can restore to a raw image, and then use dd to write this to disk, but there must be an easier way without the intermediate step.

Suggestions?

[Ben Fino-Radin]

In the end, it seems the issue was that both ewfexport and dd need sudo, but everything gets confused because dd asks for the password instantly, and the interactive output of ewfexport plops itself in place of the password – what a mess!

As the root user is disabled by default on OS X, using su doesn't work either, but I found a workaround – do something first using sudo to "warm it up" – then the sudo for dd won't ask for the password again. Not pretty, but it worked.